IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Cryptanalysis of the SIGABA and Related Cryptosystems Michael S. Lee Master’s Thesis Defense June 11 th, 2003

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Thesis Committee Alan Konheim, Chair Richard Kemmerer Giovanni Vigna

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Introduction

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Rotor Systems

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Previous Work

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Introduction Feel free to ask questions Use the handout Introduction

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Cryptography in 3 Minutes Cryptography –Encryption –Decryption –Transposition –Substitution Monoalphabetic Polyalphabetic Cryptanalysis Introduction ABCDEFGHIJKLMNOPQRSTUVWXYZ x transposition_ y rtnapssotioi_n x substitution y vxevwlwxwlrq

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Rise of the Machines A lot of arithmetic People are bad at arithmetic Machines are developed for –Speed –Accuracy Introduction

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense State of the Art – 1400s Cryptographic machines –Mechanical Introduction Jefferson’s Cipher Machine

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense State of the Art – 1930s Cryptographic machines –Electromechanical Introduction German Enigma American SIGABA

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Tangent: Cryptographic Rotors Rotors Disc Axis Teeth Contacts Internal Wiring A Rotor

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Rotor Wiring Rotors are wired using a 1-to-1 mapping Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Rotor Wiring This substitution is denoted  y i =  (x i ) Rotors Substitution Table xixi (xi)(xi) xixi (xi)(xi) ABCDEFGHIJKLMNOPQRSTUVWXYZ

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Polyalphabetic Substitutions If the rotor moves, it could describe different substitutions as it advances Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Polyalphabetic Substitutions The encryption equation using the shift: y i =  (x i – A i ) + A i y i =  ( D – 4) + 4 y i =  (25) + 4 y i = The original  can be used regardless of the shift. Rotors ABCDEFGHIJKLMNOPQRSTUVWXYZ y i =  (3 – 4) + 4 = Q Substitution Table xixi 012 … (xi)(xi) xixi … (xi)(xi)

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Polyalphabetic Substitutions If the rotor moves, it could describe different substitutions as it advances Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Multiple Rotors Using more than one rotor gives: –Longer Period –Greater Complexity Rotors must move independently, intelligently Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Multiple Rotors Encryption equation with multiple rotors: y i =  n ( …  2 (  1 (x i – A i ) + A i – B i ) + B i … – N i ) + N i Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Interval Wiring Rotors should produce many different substitutions Straight-through wiring Interval method wiring Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense SIGABA v. Enigma Problems with the Enigma –Reflecting rotor –Predictable rotor movements –Key Exchange Problem Rotor Systems

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Cipher Rotors Rotor Systems Plaintext Letter From Keyboard Ciphertext Letter to Printer Control Signals

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Stepping Maze – Index Rotors Rotor Systems

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Stepping Maze – Control Rotors Rotor Systems Active Signals Stepping Signals

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense SIGABA Usage Insert Index (small) Rotors (from key list) Insert the 10 big rotors (line up O s) Check for errors in rotor placement Line up O s again Set Control Rotors to message indicator Begin encryption During encryption, Z is treated as a space Rotor Systems

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Previous Work Savard-Pekelney Cryptanalysis [1999] –Exhaustive Key Trial log 2 (10! × 2 10 × 26 5 × 10 5 ) = 71.9 –Multiple Ciphertext Cryptanalysis Intercept many (10-15) ciphertexts such that… Every ciphertext uses the same key Isolate movements of the outer rotors (C 1 and C 5 ) Recover substitutions of outer rotors Continue with inner rotors Previous Work

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Preliminaries – Cribbing A crib is a segment of text believed to appear in the plaintext Cribbing is the search for the crib within the ciphertext Choosing good cribs is not difficult Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Preliminaries – Rotorstreams The SIGABA uses the stepping maze We can simulate stepping maze outputs A rotorstream, denoted a, is defined as: a = (a 0, a 1, …, a n-2 ), a i  {0,1} A i = A 0 if i=0 A i = A i-1 + a i-1 otherwise Breaking this model is at least as difficult as breaking the SIGABA Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Overview Given –ciphertext enciphered with 1 rotor –a crib in the ciphertext Find –internal wiring –the position of the crib Potential work: 2 s, where s is length of y Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Strategy Assume the crib is at a certain position Generate a bitstream Check the bitstream against the guessed position by looking for inconsistencies Consistency test: y i – A i =  (x i – A i ) y i – A i = y j – A j  x i – A i = x j – A j Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Strategy Extend the rotorstream bit by bit, and discard candidates that have associated contradictions Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Contradiction! Cryptanalysis i aiai AiAi xixi COMPUTERCOM x i -A i COLNSRBNYJG y i -A i EGKHASWHNPH yiyi EGLJCUZLRUN

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Success! Cryptanalysis i aiai AiAi xixi COMPUTERCOMMUNICATIO x i -A i COLNSRBNYJHHPHBURKZE y i -A i EGKHASWHNPIIFIWXSLMT yiyi EGLJCUZLRUNNKODFBUVD

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Finding the Crib Cryptanalysis CribCrib Position Length ::

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Results After running the algorithm with a sufficiently long crib (~20 chars), we find: –The location of the crib in the ciphertext –A portion of the rotor’s internal wiring With a longer crib (~60 chars), the internal wiring can be fully determined. Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Overview Previous attack needs too much crib. (~60 chars even for the single-rotor case) New attack model assumes that a machine has been captured. Given rotor wirings and a ciphertext, find –Plaintext –The order of the cipher rotors –The rotors’ positions and rotorstreams Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Strategy First, find the position of the crib in the ciphertext. Find the positions of the cipher rotors at that point in the ciphertext. Extend the crib from that position to recover the entire plaintext. Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Cribbing Previous attack: –We knew a long crib –Looked for inconsistencies in the substitution Current attack: –We know the substitution –Look for rotor movements that contradict the known substitution Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – More Cribbing Assume the crib starts at a certain point Consider the first letter pair (x 0,y 0 ) Find positions (A 0, B 0 ) that could produce that pair (one position per rotor) For each set of positions, try the next pair (A i+1, B i+1 )  { (A i, B i ), (A i, B i +1), (A i +1, B i ), (A i +1, B i +1) } Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Yet More Cribbing Many of the new (A i+1, B i+1 ) will not lead to positions consistent with (x i+1, y i+1 ) Continue with the survivors and process the other crib letters Now for an SSH Example! Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Finding the Crib Cryptanalysis CribCrib Position Length :: CribRotor Order Length 1R 2R 2R 1R ::

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Results of Cribbing After cribbing, we know –The order of the cipher rotors –The position of the crib within the text –The rotational positions of the rotors at the crib The next step uses this information to recover the rest of the plaintext Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Extending the Crib There are 2 n ways that n rotors can move after each letter is encrypted. To decipher m letters, the total number of possible rotorstreams is (2 n ) m. Strategy: –Generate rotorstreams of increasing length –Test for and discard bad rotorstreams Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 1 – Markov Model Markov models statistical models that can be applied to languages The model is created from statistical properties of a sample of text The sample used in this project is the text of English novels totaling 6MB Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 1 – Markov Model First count all the 2-grams and 3-grams count 2 (i,j) count 3 (i,j,k) Compute relative probability of 2-grams twograms =  count 2 (i,j)  (i,j) = count 2 (i,j) / twograms Compute conditional probability of 3-grams P(k / (i,j)) = count 3 (i,j,k) / count 2 (i,j)  (i,j) and P(k / (i,j)) form the Markov model Cryptanalysis i,j

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 1 – Markov Model Test a string S=(s 0,s 1,…,s m-1 ) with the model X : Pr(X 0 =s 0,X 1 =s 1,…,X m-1 =s m-1 ) =  (s 0,s 1 )  P(s i / (s i-2,s i-1 )) Higher scores are more likely to be English A cutoff can be used to eliminate low scores Problems: –False positives –False negatives Cryptanalysis i=2 m-1

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 2 – aspell/pspell Standard spell checking utilities in Unix A “word” is any group of letters between spaces Every word is checked using pspell Problems: –False positives –False negatives Custom word lists can be developed Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 3 – Manual Removal When 3 or more rotors are used, there are still too many strings that pass The user can be asked to weed out bad strings Another SSH example! Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Conclusion Each of the three steps filters out a huge number of possible plaintexts Even so, there is a lot of computation Adding more rotors will make the problem harder, but still manageable Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Conclusion The SIGABA represents advanced rotor- based cryptosystem design Methods have been proposed that will compromise SIGABA and similar cryptosystems where rotors are advanced by pseudorandom bitstreams Conclusion

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Thank You for Coming! Note stereotypical use of “random” bits for decoration Sponsored by Alpha Team – F’02 “We 0wn3d gorbels and cdidit” I’ve only used PPT twice in my life … both times were for Dr. Konheim … he hates Powerpoint … so do I Conclusion Curby